{"id":3872,"date":"2014-04-23T17:01:22","date_gmt":"2014-04-23T17:01:22","guid":{"rendered":"http:\/\/www.jitendrazaa.com\/blog\/?p=3872"},"modified":"2014-04-23T17:27:47","modified_gmt":"2014-04-23T17:27:47","slug":"implement-saml-based-single-sign-on-sso-salesforce-as-identity-provider-idp-salesforce-as-service-provider-sp","status":"publish","type":"post","link":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/implement-saml-based-single-sign-on-sso-salesforce-as-identity-provider-idp-salesforce-as-service-provider-sp\/","title":{"rendered":"Implement SAML based Single Sign On (SSO) | Using Salesforce as Identity Provider (Idp) as well as Service Provider (SP)"},"content":{"rendered":"<p style=\"text-align: justify;\"><a title=\"SAML Based Single Sign On (SSO) in Salesforce\" href=\"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/step-by-step-guide-to-setup-federated-authentication-saml-based-sso-in-salesforce\/\">Previously we have seen, How to setup SAML based Single Sign On<\/a> Where Salesforce will be Service Provider and some other application like AXIOM will be Identity Provider. In this article we will use one Salesforce Instance as Identity Provider and other Salesforce Instance\u00a0as Service Provider.<\/p>\n<p style=\"text-align: justify;\">Before starting you have to decide which salesforce Instance\u00a0will act as Identity Provider and which one will act as Service Provider. To Avoid confusions, we can create app with different Logo to distinguish Identity Provider and Service Provider like I did.<\/p>\n<p style=\"text-align: justify;\"><strong>Step 1 : Enable Domain in Identity Provider Organization<\/strong><br \/>\nFrom Setup, click Domain Management | My Domain, enter a new subdomain name, and click Check Availability. If the name is available, click the Terms and Conditions check box, then click Register Domain.<!--more--><\/p>\n<p><strong>Step 2 : Enable Identity Provider<\/strong><\/p>\n<ul>\n<li>From Setup, click &#8220;<em>Security Controls | Identity Provider<\/em>&#8220;.<\/li>\n<li>Click Enable.<\/li>\n<li>Click &#8220;Download Certificate&#8221;. <em>Remember where you save the certificate, as you will upload it later.<\/em><\/li>\n<\/ul>\n<p>Once you enable Identity Provider, You will see page like below with Identity Provider related information<\/p>\n<figure id=\"attachment_3875\" aria-describedby=\"caption-attachment-3875\" style=\"width: 768px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Salesforce-Identity-Provider-Setup.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-3875\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Salesforce-Identity-Provider-Setup.png?resize=768%2C323&#038;ssl=1\" alt=\"Salesforce Identity Provider Setup\" width=\"768\" height=\"323\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Salesforce-Identity-Provider-Setup.png?w=912&amp;ssl=1 912w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Salesforce-Identity-Provider-Setup.png?resize=300%2C125&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Salesforce-Identity-Provider-Setup.png?resize=624%2C262&amp;ssl=1 624w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><figcaption id=\"caption-attachment-3875\" class=\"wp-caption-text\">Image 1 &#8211; Salesforce Identity Provider Setup<\/figcaption><\/figure>\n<p>In above image, Issuer is nothing but domain URL of Identity provider Org.<\/p>\n<p><strong>Step 3: Enable Single Sign On in\u00a0Service Provider Org<\/strong><br \/>\nNow we have to go to Other Salesforce Instance which is acting as Service Provider.<\/p>\n<ul>\n<li>From Setup, click &#8220;Security Controls | Single Sign-On Settings&#8221;, then click Edit.<\/li>\n<li>Select the SAML Enabled check box.<\/li>\n<li>Use the following settings:<\/li>\n<\/ul>\n<figure id=\"attachment_3877\" aria-describedby=\"caption-attachment-3877\" style=\"width: 739px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-3877\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider.png?resize=739%2C437&#038;ssl=1\" alt=\"SAML Single Sign On Setting in Service Provider\" width=\"739\" height=\"437\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider.png?w=867&amp;ssl=1 867w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider.png?resize=300%2C177&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider.png?resize=624%2C369&amp;ssl=1 624w\" sizes=\"auto, (max-width: 739px) 100vw, 739px\" \/><\/a><figcaption id=\"caption-attachment-3877\" class=\"wp-caption-text\">Image2 &#8211; SAML Single Sign On Setting in Service Provider<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">We have to upload certificate downloaded from Identity Provider to here in Service provider while declaring SSO related settings. We have to come back again here to setup &#8220;<em>Identity Provider Login URL<\/em>&#8220;, We will get this URL once we define &#8220;Connected Apps&#8221; in Identity Provider Instance.<\/p>\n<p style=\"text-align: justify;\"><strong>Step 4 : Define Connected App for Service Provider in Identity Provide Instance<\/strong><\/p>\n<ul style=\"text-align: justify;\">\n<li>Log into the Salesforce organization that acts as the identity provider.<\/li>\n<li>From Setup, click &#8220;Create | Apps&#8221;, then in the &#8220;<em><span style=\"text-decoration: underline;\">Connected Apps<\/span><\/em>&#8221; section, click New.<\/li>\n<li>Specify the following information:<\/li>\n<\/ul>\n<ul style=\"text-align: justify;\">\n<li><span style=\"text-decoration: underline;\"><em>Connected App Name<\/em><\/span> &#8211; Salesforce Service Provider<\/li>\n<li><span style=\"text-decoration: underline;\"><em>Contact Email<\/em><\/span> &#8211; Contact salesforce.com should use for contacting you or your support team.<\/li>\n<li><span style=\"text-decoration: underline;\"><em>Enable SAML<\/em><\/span> &#8211; Select this option to enter service provider details.<\/li>\n<li><span style=\"text-decoration: underline;\"><em>Entity Id<\/em><\/span> &#8211; https:\/\/saml.salesforce.com<\/li>\n<li><span style=\"text-decoration: underline;\"><em>ACS URL<\/em><\/span> &#8211; Use the Salesforce Login URL from Service Provider as shown in Image 2<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">Once you save, you should be able to see setting page something like shown below :<\/p>\n<figure id=\"attachment_3881\" aria-describedby=\"caption-attachment-3881\" style=\"width: 730px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Define-Connected-App-for-Service-Provider-in-Identity-Provide-Instance.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-3881\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Define-Connected-App-for-Service-Provider-in-Identity-Provide-Instance.png?resize=730%2C451&#038;ssl=1\" alt=\"Define Connected App for Service Provider in Identity Provide Instance\" width=\"730\" height=\"451\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Define-Connected-App-for-Service-Provider-in-Identity-Provide-Instance.png?w=1067&amp;ssl=1 1067w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Define-Connected-App-for-Service-Provider-in-Identity-Provide-Instance.png?resize=300%2C185&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Define-Connected-App-for-Service-Provider-in-Identity-Provide-Instance.png?resize=1024%2C632&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Define-Connected-App-for-Service-Provider-in-Identity-Provide-Instance.png?resize=624%2C385&amp;ssl=1 624w\" sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><\/a><figcaption id=\"caption-attachment-3881\" class=\"wp-caption-text\">Image 3 : Define Connected App for Service Provider in Identity Provide Instance<\/figcaption><\/figure>\n<p style=\"text-align: justify;\"><em><span style=\"text-decoration: underline;\">Important Note :<\/span><\/em> Once you define Connected App, We need to add which <em>profiles <\/em>should be able to access this app.<\/p>\n<p style=\"text-align: justify;\">From above setting page, copy URL of &#8220;<em><span style=\"text-decoration: underline;\">IdP-Initiated Login URL<\/span><\/em>&#8221; and go back to SSO setting page of Service Provider and Add this URL. In Image 2, You can see placeholder in red font.<\/p>\n<figure id=\"attachment_3882\" aria-describedby=\"caption-attachment-3882\" style=\"width: 700px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider-with-Identity-Provider-Login-URL.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-3882\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider-with-Identity-Provider-Login-URL.png?resize=700%2C414&#038;ssl=1\" alt=\"SAML Single Sign On Setting in Service Provider with Identity Provider Login URL\" width=\"700\" height=\"414\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider-with-Identity-Provider-Login-URL.png?w=867&amp;ssl=1 867w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider-with-Identity-Provider-Login-URL.png?resize=300%2C177&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/SAML-Single-Sign-On-Setting-in-Service-Provider-with-Identity-Provider-Login-URL.png?resize=624%2C369&amp;ssl=1 624w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/a><figcaption id=\"caption-attachment-3882\" class=\"wp-caption-text\">Image 4 &#8211; SAML Single Sign On Setting in Service Provider with Identity Provider Login URL<\/figcaption><\/figure>\n<p><strong>Step 5 : Setting up Users<\/strong><\/p>\n<p style=\"text-align: justify;\">Everything is already at place, Lets start with user setup.<\/p>\n<p style=\"text-align: justify;\">Copy one of Username from Identity Provider instance to &#8220;Federation Id&#8221; field of related user in Service Provider.<\/p>\n<p style=\"text-align: justify;\">Example : In Identity provider, I have user &#8220;zaa.minal1@gmail.com&#8221;. Now in Service Provider i have user &#8220;zaa.minal@gmail.com&#8221; and want to relate this user. So in &#8220;Federation Id&#8221; field of &#8220;zaa.minal@gmail.com&#8221; user, I will copy &#8220;zaa.minal1@gmail.com&#8221;.<\/p>\n<figure id=\"attachment_3889\" aria-describedby=\"caption-attachment-3889\" style=\"width: 678px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/User-Setup-in-SSO-Salesforce1.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-3889 size-full\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/User-Setup-in-SSO-Salesforce1.png?resize=678%2C216&#038;ssl=1\" alt=\"User Setup in SSO Salesforce\" width=\"678\" height=\"216\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/User-Setup-in-SSO-Salesforce1.png?w=678&amp;ssl=1 678w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/User-Setup-in-SSO-Salesforce1.png?resize=300%2C95&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/User-Setup-in-SSO-Salesforce1.png?resize=624%2C198&amp;ssl=1 624w\" sizes=\"auto, (max-width: 678px) 100vw, 678px\" \/><\/a><figcaption id=\"caption-attachment-3889\" class=\"wp-caption-text\">User Setup in SSO Salesforce<\/figcaption><\/figure>\n<p><strong>Testing Scenario 1 : IdP initiated SSO<\/strong><\/p>\n<p style=\"text-align: justify;\">It is possoble that you want to login into Identity Provider Org and it should redirect user to Service Provider. For this In Image 3,\u00a0open\u00a0URL of &#8220;<em>IdP-Initiated Login URL<\/em>&#8221; in Browser, make sure it is complete URL. In my case, URL is something like : &#8220;<a title=\"Service Provider Demo in Salesforce\" href=\"https:\/\/zaa-dev-ed.my.salesforce.com\/idp\/login?app=0sp40000000TN1U\">https:\/\/zaa-dev-ed.my.salesforce.com\/idp\/login?app=0sp40000000TN1U<\/a>&#8220;<\/p>\n<p style=\"text-align: justify;\">Once you hit this URL, Login page will appear. Enter your Username of Identity Provider (This Username is Federation ID in Service Provider). If everything is good, you will be redirected to Service Provider.<\/p>\n<figure id=\"attachment_3885\" aria-describedby=\"caption-attachment-3885\" style=\"width: 750px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/IdP-Initiated-Single-Sign-On-Salesforce-as-IdP.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-3885\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/IdP-Initiated-Single-Sign-On-Salesforce-as-IdP.png?resize=750%2C213&#038;ssl=1\" alt=\"IdP Initiated Single Sign On - Salesforce as IdP\" width=\"750\" height=\"213\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/IdP-Initiated-Single-Sign-On-Salesforce-as-IdP.png?w=879&amp;ssl=1 879w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/IdP-Initiated-Single-Sign-On-Salesforce-as-IdP.png?resize=300%2C85&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/IdP-Initiated-Single-Sign-On-Salesforce-as-IdP.png?resize=624%2C177&amp;ssl=1 624w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\" \/><\/a><figcaption id=\"caption-attachment-3885\" class=\"wp-caption-text\">Image 6 &#8211; IdP Initiated Single Sign On &#8211; Salesforce as IdP<\/figcaption><\/figure>\n<p><strong>Testing Scenario 2 : Service Provider Initiated SSO<\/strong><\/p>\n<p style=\"text-align: justify;\">To Test this, we need to inform Salesforce that Instead of Standard Login Page, Users have to use Single Sign on settings.<\/p>\n<p style=\"text-align: justify;\">Navigate to &#8220;Domain Management | My Domain | Login Page Branding&#8221; and click to Edit.<\/p>\n<figure id=\"attachment_3886\" aria-describedby=\"caption-attachment-3886\" style=\"width: 578px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Enable-Service-Provider-Initiated-Single-Sign-on-Salesforce.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3886\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Enable-Service-Provider-Initiated-Single-Sign-on-Salesforce.png?resize=578%2C472&#038;ssl=1\" alt=\"Enable Service Provider Initiated Single Sign on - Salesforce\" width=\"578\" height=\"472\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Enable-Service-Provider-Initiated-Single-Sign-on-Salesforce.png?w=578&amp;ssl=1 578w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Enable-Service-Provider-Initiated-Single-Sign-on-Salesforce.png?resize=300%2C244&amp;ssl=1 300w\" sizes=\"auto, (max-width: 578px) 100vw, 578px\" \/><\/a><figcaption id=\"caption-attachment-3886\" class=\"wp-caption-text\">Image 7 &#8211; Enable Service Provider Initiated Single Sign on &#8211; Salesforce<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">As you can see in above image, we will get option for all SSO and Login page also. If we dont disable Login Page, Users can login by their standard Salesforce username and password and SSO will not called. So, uncheck everything except required SSO settings and Save it.<\/p>\n<p style=\"text-align: justify;\">Now, navigate to Login page of Service Provider and try to enter username and password of Identity provider. You should be redirected to Service provider after authentication.<\/p>\n<figure id=\"attachment_3887\" aria-describedby=\"caption-attachment-3887\" style=\"width: 700px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Service-Provider-Initiated-Single-Sign-On-Salesforce-as-IdP.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"wp-image-3887\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Service-Provider-Initiated-Single-Sign-On-Salesforce-as-IdP.png?resize=700%2C250&#038;ssl=1\" alt=\"Service Provider Initiated Single Sign On - Salesforce as IdP\" width=\"700\" height=\"250\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Service-Provider-Initiated-Single-Sign-On-Salesforce-as-IdP.png?w=854&amp;ssl=1 854w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Service-Provider-Initiated-Single-Sign-On-Salesforce-as-IdP.png?resize=300%2C107&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Service-Provider-Initiated-Single-Sign-On-Salesforce-as-IdP.png?resize=624%2C222&amp;ssl=1 624w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/a><figcaption id=\"caption-attachment-3887\" class=\"wp-caption-text\">Image 8 &#8211; Service Provider Initiated Single Sign On &#8211; Salesforce as IdP<\/figcaption><\/figure>\n<p><strong>Testing scenario 3 : SSO in Salesforce1 app<\/strong><\/p>\n<p style=\"text-align: justify;\">In Salesforce1 application, If you try to setup IdP initiated SSO then you might run into below error<\/p>\n<p style=\"text-align: justify;\">The value of the &#8220;app&#8221; parameter contains a character that is not allowed or the value exceeds the maximum allowed length.<\/p>\n<p style=\"text-align: justify;\">I was not able to resolve above problem and posted question in <a title=\"SSO error in Salesforce1 - Salesforce as IDp\" href=\"http:\/\/salesforce.stackexchange.com\/questions\/33009\/sso-error-in-salesforce1-salesforce-as-idp\">StackExchange <\/a>also, but no luck. However when I tried to login using Service Provider Initiated SSO, I was able to resolve this problem.<\/p>\n<p><strong>Testing Scenario 4 : Interesting scenario in Single Sign On<\/strong><\/p>\n<p style=\"text-align: justify;\">Lets say i have implemented SSO for Salesforce and IDp lets say is some .Net based Webservice which implements SAML 2. \u00a0When user tried to authenticate, He was active in IDp as well as in SP. He was succesfully able to authenticate Salesforce1 app using OAuth (After SAML based login succeeded).\u00a0However, after few day he got deactivated from IDp and still active in Service Provider (Salesforce).\u00a0As he is still active in Salesforce and OAuth is already setup, he can access his Salesforce1 application.\u00a0How should i check or revoke his access once he is not active in Identi provider ? Same Question was asked in <a title=\"Interesting scenario in Single Sign On\" href=\"http:\/\/salesforce.stackexchange.com\/questions\/33054\/interesting-scenario-in-single-sign-on\">StackExchange <\/a>also.<\/p>\n<p style=\"text-align: justify;\">After discussion with <a href=\"https:\/\/twitter.com\/metadaddy\">@metadaddy<\/a> and <a href=\"https:\/\/twitter.com\/cmort\">@cmort<\/a>, only solution I found was to make callout from IdP to Service Provider to remove OAuth token or deactivate user.<\/p>\n<blockquote class=\"twitter-tweet\" lang=\"en\"><p>Got it&#8230; Thanks <a href=\"https:\/\/twitter.com\/cmort\">@cmort<\/a> and <a href=\"https:\/\/twitter.com\/metadaddy\">@metadaddy<\/a>. I thought there would be some solution, as suggested I will make call out from IDP to Sp to disable.<\/p>\n<p>&#8220;\u201d jitendra zaa (@ilovenagpur) <a href=\"https:\/\/twitter.com\/ilovenagpur\/statuses\/457186840592674816\">April 18, 2014<\/a><\/p><\/blockquote>\n<p><script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Previously we have seen, How to setup SAML based Single Sign On Where Salesforce will be Service Provider and some other application like AXIOM will be Identity Provider. In this article we will use one Salesforce Instance as Identity Provider and other Salesforce Instance\u00a0as Service Provider. Before starting you have to decide which salesforce Instance\u00a0will [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"jz_research_post":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[9],"tags":[258,241,260,175,238,259,237],"class_list":["post-3872","post","type-post","status-publish","format-standard","hentry","category-salesforce","tag-identity-provider","tag-idp-initiated-sso","tag-oauth","tag-salesforce-1","tag-saml","tag-service-provider","tag-sso"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":3830,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/step-by-step-guide-to-setup-federated-authentication-saml-based-sso-in-salesforce\/","url_meta":{"origin":3872,"position":0},"title":"Step by step guide to Setup Federated Authentication (SAML) based SSO in Salesforce &#8211; Video Tutorial","author":"Jitendra","date":"April 14, 2014","format":false,"excerpt":"In this post, We will be dicussing how to setup\u00a0Federated SAML based Authentication in Salesforce. SAML stands for \"Security Assertion Markup Language\" and it is Open standard for exchanging Authentication and Authorization between Systems. SAML based authentication is supported by all editions of Salesforce. User Validation can be initiated by\u2026","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Login using SAML Response from AXIOM","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Login-using-SAML-Response-from-AXIOM.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Login-using-SAML-Response-from-AXIOM.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Login-using-SAML-Response-from-AXIOM.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2014\/04\/Login-using-SAML-Response-from-AXIOM.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":4807,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-to-salesforce-integration-using-canvas\/","url_meta":{"origin":3872,"position":1},"title":"Salesforce to Salesforce integration using Canvas","author":"Jitendra","date":"September 14, 2015","format":false,"excerpt":"After writing this article Salesforce has enabled CSP (Content Security Policy) which restricts adding Salesforce in iFrame. We can add MyDomain URL as CSP whitelisting and it works only if user already logged into other Salesforce instance. However, if user is not logged into other instance , internally OAuth navigates\u2026","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Force.com Canvas Application Demo with Complete Source code","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/09\/Force.com-Canvas-Application-Demo-with-Complete-Source-code.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/09\/Force.com-Canvas-Application-Demo-with-Complete-Source-code.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/09\/Force.com-Canvas-Application-Demo-with-Complete-Source-code.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":6554,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-single-sign-on-sso-using-janrain\/","url_meta":{"origin":3872,"position":2},"title":"Salesforce Single Sign On (SSO) using Janrain &#8211; Video","author":"Jitendra","date":"July 22, 2018","format":false,"excerpt":"How to use Facebook, Twitter, Wechat, Microsoft, Yahoo & many more as a Identity Provider for Salesforce with the help of Janrain Auth Provider - Video included","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Janrain Salesforce Single Sign On Execution Flow","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/07\/Janrain-SSO.png?fit=1200%2C572&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/07\/Janrain-SSO.png?fit=1200%2C572&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/07\/Janrain-SSO.png?fit=1200%2C572&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/07\/Janrain-SSO.png?fit=1200%2C572&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/07\/Janrain-SSO.png?fit=1200%2C572&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":6439,"url":"https:\/\/www.jitendrazaa.com\/blog\/microsoft\/video-use-microsoft-azures-active-directory-as-identity-provider-for-salesforce-sso-in-15-minutes\/","url_meta":{"origin":3872,"position":3},"title":"Video &#8211; Use Microsoft Azure&#8217;s Active Directory as Identity Provider for Salesforce SSO in 15 Minutes","author":"Jitendra","date":"March 23, 2018","format":false,"excerpt":"Video tutorial on how to use Microsoft Azure's Active Directory as a Identity Provider for Salesforce. It uses Federated Single Sign On (SSO) feature of Salesforce","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/microsoft\/"},"img":{"alt_text":"Salesforce Azure SSO in 15 minutes","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/03\/Screen-Shot-2018-03-23-at-2.58.29-PM.png?fit=1200%2C672&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/03\/Screen-Shot-2018-03-23-at-2.58.29-PM.png?fit=1200%2C672&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/03\/Screen-Shot-2018-03-23-at-2.58.29-PM.png?fit=1200%2C672&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/03\/Screen-Shot-2018-03-23-at-2.58.29-PM.png?fit=1200%2C672&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/03\/Screen-Shot-2018-03-23-at-2.58.29-PM.png?fit=1200%2C672&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":4516,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/login-to-salesforce-from-salesforce-using-authentication-provider\/","url_meta":{"origin":3872,"position":4},"title":"Login to Salesforce from Salesforce using Authentication Provider","author":"Jitendra","date":"May 29, 2015","format":false,"excerpt":"There are many ways to login to your Salesforce instance, using Google, Facebook, Linked, Twitter and even from other Salesforce Organization. I am sure many of readers has multiple Salesforce instances and its hard to remember password of each. We can connect every Salesforce instances and login using only one.\u2026","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Salesforce My Domain Login page","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/05\/Salesforce-My-Domain-Login-page.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":6455,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/quick-summary-of-salesforce-identity-connect-capabilities\/","url_meta":{"origin":3872,"position":5},"title":"Quick Summary of Salesforce Identity Connect Capabilities","author":"Jitendra","date":"April 19, 2018","format":false,"excerpt":"Short & quick note about Salesforce Identity product","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Salesforce Identity Connect","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/04\/Salesforce-Identity-Connect.png?fit=1000%2C400&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/04\/Salesforce-Identity-Connect.png?fit=1000%2C400&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/04\/Salesforce-Identity-Connect.png?fit=1000%2C400&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2018\/04\/Salesforce-Identity-Connect.png?fit=1000%2C400&ssl=1&resize=700%2C400 2x"},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/3872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/comments?post=3872"}],"version-history":[{"count":10,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/3872\/revisions"}],"predecessor-version":[{"id":3891,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/3872\/revisions\/3891"}],"wp:attachment":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/media?parent=3872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/categories?post=3872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/tags?post=3872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}